CVE-2022-21654

Summary

Envoy is an open source edge and service proxy, designed for cloud-native applications. Envoy's tls allows re-use when some cert validation settings have changed from their default configuration. The only workaround for this issue is to ensure that default tls settings are used. Users are advised to upgrade.

Affected Software

VendorProductVersion RangeStatus
envoyproxyenvoy>= 1.7.0, < 1.18.6affected
envoyproxyenvoy>= 1.19.0, < 1.19.3affected
envoyproxyenvoy>= 1.20.0, < 1.20.2affected
envoyproxyenvoy>= 1.21.0, < 1.21.1affected

Weaknesses

  • CWE-295: CWE-295: Improper Certificate Validation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References